FDA Cybersecurity Remediation

It varies quite a bit based on the state of the current documentation and the required speed of completion. If you have completed most documents and are looking for an expert review, the cost tends to be about $15k.

For most prospective documentation projects for class II devices, the cost is often between $30k and $40k.

Note this does not include any software development work for implementing cybersecurity controls, although we can help with that too.

Please reach out to use and we can provide you a list of our hourly rates for the following roles:

• Partner
• Senior Regulatory Consultant
• Regulatory Consultant
• Staff Software Engineer
• Senior Software Engineer
• Software Engineer
• Data Annotation Associate

No. We do not work on a fixed-price basis. We will provide a detailed cost estimate before we start the project and we’ll provide budget estimates through out the project, however, due to the differing nature of each project its not possible to provide a fixed-price estimate.

Unless your medical device was designed with security in mind, it's likely that some software changes will be required. Our process is tailored to pinpoint these necessary changes swiftly so your engineers can start working on them. In some instances, we can also provide software engineering support.

Yes! Please review our case studies for a sampling of our past projects. If you don’t see anything relevant, please reach out as only a small number of our projects have case studies.

Yes! We can work your team team to develop a threat model over a sequence of collaborative meetings. As part of threat modeling we’ll develop a set of security architecture views that comply with FDA’s expectations. We’ll guide the team through identifying external connections, assets, threat actors, and threats. Our threat modeling typically uses STRIDE combined with other threat modeling methodologies as is appropriate.

Our threat modeling approach considers the full end-to-end system, including “other functions”.

Yes! We can guide the Client’s team through writing an appropriate Security Risk Management Plan, including an appropriate means of assessing security risks.

We can then guide the team through a security risk assessment, using the threat modeling as an input. We’ll work with the team to trace security risks to safety risks. We’ll also help identify relevant cybersecurity controls (see the next section) and help ensure there is proper cybersecurity traceability.

Yes! We’ll work with the team to identify appropriate security risk controls against the FDA guidance. FDA typically requires at minimum one or two controls from each control category:

• authentication
• authorization
• cryptography
• integrity
• confidentiality
• detection
• resiliency & recovery
• updates.

We’ll work with you to identify the most useful controls that add the minimum necessary software development cost. We also understand what controls FDA expects for different types of devices.

In most cases, yes.

We can usually produce an FDA-compliant SBOM with minimal input from your engineers.

Alternatively, we can your engineers set up tools to automatically generate an SBOM as part of their automated build procedures (e.g., using a GitHub Action that produces the SBOM as a build artifact). This second approach takes longer in the short term, but is more efficient long term.

We can guide your engineering team through the cybersecurity testing process.

• Requirements Testing: Typically handled through standard Design Controls, however, we can help draft Design Verification Protocols for verification of the Design Control requirements.
• Vulnerability Testing: We can help select an appropriate vulnerability testing tool and incorporate it into the development workflow. This typically includes analyzing third-party packages for vulnerabilities along with static code analysis.
• Fuzz Testing: We can help identify appropriate interfaces to fuzz test, define the scope, and can even help implement fuzz testing.
• Penetration Testing: We can help select an appropriate pen testing vendor and can facilitate communication with the vendor to ensure they provide records that meet the FDA guidance.

We can compile all of these records into tests that are appropriate for the 510(k) submission.

We can work with your team to draft the cybersecurity sections of the IFU based on our understanding of the device and previous submissions. This includes:

• Instructions related to the user’s security responsibilities
• Security diagrams
• SBOM access
• Software update notification
• Security anomaly reporting and detection
• Backup and restore functionality

No, we can’t make such a guarantee.

FDA’s expectations are continuing to evolve. Strategies that we’ve seen work previously have stopped working in new submissions. Most teams also can’t implement everything in the guidance (and FDA doesn’t expect you to). We therefore will try to find the right amount of effort required for your device. Sometimes we will undershoot.